-----BEGIN PGP SIGNED MESSAGE----- ___ __ __ _ ___ __ __ __ __ __ / | /_\ / |\ | / \ | |_ /_ \___ __|__ / \ \___ | \| \__/ | |__ __/ Number 95-10 June 16, 1995 This edition of CIAC NOTES includes: 1) PKZIP003 Trojan 2) Logdaemon/FreeBSD vulnerability in S/Key 3) EBOLA Virus Hoax 4) Caibua Virus Please send your comments and feedback to ciac@llnl.gov. $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$ $ Reference to any specific commercial product does not necessarily $ $ constitute or imply its endorsement, recommendation or favoring by $ $ CIAC, the University of California, or the United States Government.$ $-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$ ========================================================================= 1) PKZIP Trojan ========================================================================= A Trojaned version of the popular, DOS file compression utility PKZIP is circulating on the networks and on dial-up BBS systems. The Trojaned files are PKZ300B.EXE and PKZ300B.ZIP. CIAC verified the following warning from PKWARE: - ------------------------------------------------------------------------- Some joker out there is distributing a file called PKZ300B.EXE and PKZ300B.ZIP. This is NOT a version of PKZIP and will try to erase your harddrive if you use it. The most recent version is 2.04G. Please tell all your friends and favorite BBS stops about this hack. Thank You. Patrick Weeks Product Support PKWARE, Inc. - ------------------------------------------------------------------------- PKZ300B.EXE appears to be a self extracting archive, but actually attempts to format your hard drive. PKZ300B.ZIP is an archive, but the extracted executable also attempts to format your hard drive. While PKWARE indicated the Trojan is real, we have not talked to anyone who has actually touched it. We have no reports of it being seen anywhere in the DOE. According to PKWARE, the only released versions of PKZIP are: 1.10, 1.93, 2.04c, 2.04e and 2.04g. All other versions currently circulating on BBS's are hacks or fakes. The current version of PKZIP and PKUNZIP is 2.04g. The current version of PKZIP is available in the CIAC Archive, or directly from PKWARE. - From CIAC: ftp://ciac.llnl.gov/pub/ciac/util/pc/pkz204g.exe BBS: 510-423-4753, 510-423-3331 - From PKWARE: ftp://pkware.com/pub/pkware/pkz204g.exe BBS: 414-354-8670 Note: Don't forget to pay your shareware fees. ========================================================================= 2) Logdaemon/FreeBSD vulnerability in S/Key ========================================================================= The following was released by Wietse Venema through a vendor bulletin VB-95:04.venema (ftp://cert.org:/pub/cert_bulletins/VB-95:04.venema). Wietse Venema, who urges you to act on this information as soon as possible. Please contact Wietse Venema if you have any questions or need further information. >A vulnerability exists in my own S/Key software enhancements. Since >these enhancements are in wide-spread use, a public announcement is >appropriate. The vulnerability affects the following products: > > FreeBSD version 1.1.5.1 > FreeBSD version 2.0 > logdaemon versions before 4.9 > >I recommend that users of this software follow the instructions given >below in section III. > >------------------------------------------------------------------------ > >I. Description > > An obscure oversight was found in software that I derived from > the S/Key software from Bellcore (Bell Communications Research). > Analysis revealed that my oversight introduces a vulnerability. > > Note: the vulnerability is not present in the original S/Key > software from Bellcore. > >II. Impact > > Unauthorized users can gain privileges of other users, possibly > including root. > > The vulnerability can be exploited only by users with a valid > account. It cannot be exploited by arbitrary remote users. > > The vulnerability can affect all FreeBSD 1.1.5.1 and FreeBSD 2.0 > implementations and all Logdaemon versions before 4.9. The problem > exists only when S/Key logins are supported (which is the default > for FreeBSD). Sites with S/Key logins disabled are not vulnerable. > >III. Solution > > Logdaemon users: > ================ > Upgrade to version 4.9 > > URL ftp://ftp.win.tue.nl/pub/security/logdaemon-4.9.tar.gz. > MD5 checksum 3d01ecc63f621f962a0965f13fe57ca6 > > To plug the hole, build and install the ftpd, rexecd and login > programs. If you installed the keysu and skeysh commands, these > need to be replaced too. > > FreeBSD 1.1.5.1 and FreeBSD 2.0 users: > ====================================== > Retrieve the corrected files that match the system you are > running: > > URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-1.1.5.1.tgz > MD5 checksum bf3a8e8e10d63da9de550b0332107302 > > URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-2.0.tgz > MD5 checksum d58a17f4216c3ee9b9831dbfcff93d29 > > Unpack the tar archive and follow the instructions in the > README file. > > FreeBSD current users: > ====================== > Update your /usr/src/lib/libskey sources and rebuild and > install libskey (both shared and non-shared versions). > > The vulnerability has been fixed with FreeBSD 2.0.5. > >------------------------------------------------------------------------- > >S/KEY is a trademark of Bellcore (Bell Communications Research). > >Wietse Venema appreciates helpful assistance with the resolution of >this vulnerability from CERT/CC; Rodney W. Grimes, FreeBSD Core Team >Member; Guido van Rooij, Philips Communication and Processing Services; >Walter Belgers. CIAC would like to thank Wietse Venema and CERT/CC for the information in section 2 of this CIAC Notes article. ========================================================================= 3) EBOLA Virus Hoax ========================================================================= The following note circulated around the networks last month warning of a new and potentially deadly computer virus. However, after chasing down the sources of the note, CIAC has found that this is another hoax, similar to the Good Times Hoax. - --------------------------- Start of HOAX -------------------------------- ** Imporant! VIRUS ALERT ** A message has just been recieved from DataTech Development in Westhills, Texas. It reads as follows: "A very *Dangerous* virus has just been released, Primarily Affecting Unix users who have FTP'd files from a Major server in the last few days. This virus patches itself onto the source code of FTP, and automatically piggybacks on files FTP'd to another site or user where it again patches iself onto FTP. When an infected User runs ELM or PINE, the virus secretly sends one of several pre-written disgusting letters to the user's SysAmin, addressed from the unlucky victim. The letters contain graphic appeals for sexual favors of a deviant nature , or explicitly describe Diane Sawyer bondage fantasies. As a result of this, many have had their access revoked, causing both users and sysadmins alike much grief, and creating an administrative backlog for the re-instation of accounts. As yet, we have not been able to properly trace the distribution of the EBOLA Virus, so you are best advised to Disinfect any files recently FTP'd from a Unix based-server. Standby for Updates, |>ataTech |>evelopment." - --------------------------- End of HOAX ---------------------------------- As of this date, we have not been able to locate a DataTech Development of Westhills, Texas, in fact, we have not even been able to locate a town of Westhills, Texas. Also, we have not been able to locate the person who uploaded this message to several newsgroups, or anyone who has actually seen it. Pending any evidence to the contrary, we believe that this message is a hoax. ============================================================================ 4) Caibua Virus ============================================================================ The initial warnings about the outrageous behavior of the Caibua virus (alias: Butthead, BUA-2263) made us suspect that it was another hoax, but this one is real. The Caibua virus was originally distributed in the package BESTSSVR.ZIP which contained the program COOLSAVR.COM. This is supposed to be an interesting screen saver, and does contain some interesting graphics. While you are watching the graphics, it is infecting two of your .COM files with the Caibua virus. The Caibua is a relatively unsophisticated virus, of a kind that doesn't normally spread very well in the wild. It is a non-resident infector of *.COM files in the current directory and on the PATH. Each time an infected program is executed, two .COM files are infected with the virus. Because of this, slow multiplication factor, the virus does not spread very rapidly. If the date is May 5, 1995 or after, and the time is between 3pm and 7pm, it displays a phallic symbol marching across the screen. The damage routines are executed after the virus has been run about 20 times. Damage consists of creating directories named "Caibua", "FUCK YOU", "EAT SHIT" and "BITE ME!", the erasing of the first file in the current directory on the default drive, and overwriting the system and boot areas of the C: drive, rendering it unreadable. Most current anti-virus scanners do not detect the Caibua virus. A free virus scanner is available from the makers of InVircible, in: XCAIBUA.ZIP. XCAIBUA.ZIP is available on the CIAC archive, or directly from InVircible. Note that XCAIBUA does not detect the infection in the original file, COOLSAVR.COM. - From CIAC: ftp://ciac.llnl.gov/pub/ciac/sectools/pcvirus/xcaibua.zip BBS: 510-423-4753, 510-423-3331 - From INVircible: ftp://InVircible.com/antivirus/av-software/invircible/xcaibua.exe ============================================================================ - ---------------------------------- Who is CIAC? CIAC is the U.S. Department of Energy's Computer Incident Advisory Capability. Established in 1989, shortly after the Internet Worm, CIAC provides various computer security services free of charge to employees and contractors of the DOE, such as: . Incident Handling Consulting . Computer Security Information . On-site Workshops . White-hat Audits CIAC is located at Lawrence Livermore National Laboratory in Livermore, California, and is a part of its Computer Security Technology Center. Further information can be found at CIAC. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. See FIRST for more details (http://www.first.org/first/). CIAC services are available for fee to other Federal civilian agencies. Contact Nancy Adair in the DOE Oakland Operation Office 510-637-1741. - ---------------------------------- CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy. CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE and DOE contractors, and can be contacted at: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE and DOE contractor sites may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, pgp public key, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) Modem access: (510) 423-4753 (14.4K baud) (510) 423-3331 (9600 baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. - ------------------------------------------------------------------ This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. - ------------------------------------------------------------------- End of CIAC Notes Number 95-10 95_06_16 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBL+G9ALnzJzdsy3QZAQHDVAP9EL5fauODXnIiNJmUCd8ieeSppi+o6HOm X2x87cPi1FIUCoklUMYTW/FnqfU8Z3BCAmraJdBv7DwX3LtqppSzM0dHg57CKX0N 0SK7ZlPn8xxppGctPAqkG+gOFqMdVaZB7kTJ0V3+R9rAazIvIlseb7Ohmuj7FXEu Y1vAnwRzvFI= =XyZq -----END PGP SIGNATURE-----